Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde.dll Infection And Automatic Updates Disabled (among Other Things)


  • Please log in to reply
10 replies to this topic

#1 jso113

jso113

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:50 PM

Posted 29 May 2008 - 08:31 AM

Hello,

I have tried my best to resolve this on my own but I can't seem to get rid of everything. I get popups (although they are minimal) and I also can not get the Automatic Update service running on my computer to get updates from Microsoft. When I try to turn it on in the Security Center, it says it can not be started, and when I try to manually start it using the Services by running services.msc, it always goes back to disabled.

Any help is greatly appreciated!!!

Here are my Kaspersky and DSS/HijackThis reports.

Kaspersky
KASPERSKY ONLINE SCANNER REPORT  Thursday, May 29, 2008 08:20:39Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)Kaspersky Online Scanner version: 5.0.98.0Kaspersky Anti-Virus database last update: 28/05/2008Kaspersky Anti-Virus database records: 720658  Scan Settings Scan using the following antivirus database standard Scan Archives true Scan Mail Bases true  Scan Target My Computer C:\D:\   Scan Statistics Total number of scanned objects 44720 Number of viruses found 22 Number of infected objects 37 Number of suspicious objects 0 Duration of the scan process 00:53:17 Infected Object Name Virus Name Last Action C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat  Object is locked  skipped   C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat  Object is locked  skipped   C:\Documents and Settings\Jackie\.jpi_cache\jar\1.0\ms0311.jar-420a3704-5a3ddd08.zip/TakePrivileges.class  Infected: Trojan-Downloader.Java.OpenConnection.ak  skipped   C:\Documents and Settings\Jackie\.jpi_cache\jar\1.0\ms0311.jar-420a3704-5a3ddd08.zip/SuperMSClassLoader.class  Infected: Trojan.Java.ClassLoader.aq  skipped   C:\Documents and Settings\Jackie\.jpi_cache\jar\1.0\ms0311.jar-420a3704-5a3ddd08.zip/Installer.class  Infected: Trojan-Downloader.Java.OpenConnection.ak  skipped   C:\Documents and Settings\Jackie\.jpi_cache\jar\1.0\ms0311.jar-420a3704-5a3ddd08.zip  ZIP: infected - 3  skipped   C:\Documents and Settings\Jackie\Cookies\index.dat  Object is locked  skipped   C:\Documents and Settings\Jackie\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat  Object is locked  skipped   C:\Documents and Settings\Jackie\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG  Object is locked  skipped   C:\Documents and Settings\Jackie\Local Settings\History\History.IE5\index.dat  Object is locked  skipped   C:\Documents and Settings\Jackie\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat  Object is locked  skipped   C:\Documents and Settings\Jackie\Local Settings\Temporary Internet Files\Content.IE5\index.dat  Object is locked  skipped   C:\Documents and Settings\Jackie\NTUSER.DAT  Object is locked  skipped   C:\Documents and Settings\Jackie\ntuser.dat.LOG  Object is locked  skipped   C:\Documents and Settings\LocalService\Cookies\index.dat  Object is locked  skipped   C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat  Object is locked  skipped   C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG  Object is locked  skipped   C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat  Object is locked  skipped   C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat  Object is locked  skipped   C:\Documents and Settings\LocalService\NTUSER.DAT  Object is locked  skipped   C:\Documents and Settings\LocalService\ntuser.dat.LOG  Object is locked  skipped   C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat  Object is locked  skipped   C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG  Object is locked  skipped   C:\Documents and Settings\NetworkService\NTUSER.DAT  Object is locked  skipped   C:\Documents and Settings\NetworkService\ntuser.dat.LOG  Object is locked  skipped   C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\rawlog.log  Object is locked  skipped   C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\seclog.log  Object is locked  skipped   C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\syslog.log  Object is locked  skipped   C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\tralog.log  Object is locked  skipped   C:\Program Files\USS\{D1957FF4-EA22-4b4a-81A1-C62068479DED}\AMPlugin.dll  Infected: Trojan.Win32.Agent.muz  skipped   C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425\A0027573.dll  Infected: Trojan-Downloader.Win32.Mutant.yf  skipped   C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425\A0027578.sys  Infected: Trojan-Dropper.Win32.Agent.ror  skipped   C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425\A0027589.dll  Infected: Trojan-Downloader.Win32.Mutant.yf  skipped   C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425\A0027594.sys  Infected: Trojan-Dropper.Win32.Agent.ror  skipped   C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425\A0027602.dll  Infected: Trojan-Downloader.Win32.Mutant.yf  skipped   C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425\A0027607.sys  Infected: Trojan-Dropper.Win32.Agent.ror  skipped   C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425\A0028603.dll  Infected: Trojan-Downloader.Win32.Mutant.yf  skipped   C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425\A0028608.sys  Infected: Trojan-Dropper.Win32.Agent.ror  skipped   C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425\A0028611.dll  Infected: Trojan-Downloader.Win32.Mutant.yf  skipped   C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425\A0028615.sys  Infected: Trojan-Dropper.Win32.Agent.ror  skipped   C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425\A0028623.dll  Infected: Trojan-Downloader.Win32.Mutant.yf  skipped   C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425\A0028630.sys  Infected: Trojan-Dropper.Win32.Agent.ror  skipped   C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425\A0028633.dll  Infected: Trojan-Downloader.Win32.Mutant.yf  skipped   C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425\A0028638.sys  Infected: Trojan-Dropper.Win32.Agent.ror  skipped   C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425\A0028642.dll  Infected: Trojan.Win32.Vapsup.fja  skipped   C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425\A0028643.exe  Infected: Trojan.Win32.Vapsup.fry  skipped   C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425\A0028668.dll  Infected: Trojan-Downloader.Win32.Mutant.yf  skipped   C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425\A0029747.dll  Infected: Trojan.Win32.Vapsup.fhr  skipped   C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425\A0029749.dll  Infected: Trojan.Win32.Vapsup.fho  skipped   C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425\A0029751.dll  Infected: Trojan.Win32.Vapsup.fkl  skipped   C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425\A0029752.exe  Infected: Trojan.Win32.Vapsup.fhq  skipped   C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425\A0029753.dll  Infected: Trojan.Win32.Vapsup.fhp  skipped   C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425\A0029754.dll  Infected: Trojan.Win32.Vapsup.fhs  skipped   C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP426\A0030755.dll  Infected: Trojan.Win32.Vapsup.fkk  skipped   C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP427\A0031897.exe  Infected: Trojan.Win32.Vapsup.fkj  skipped   C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP427\A0031898.dll  Infected: Trojan.Win32.Vapsup.fjr  skipped   C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP427\A0032940.dll  Infected: Trojan.Win32.Vapsup.fsz  skipped   C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP427\A0032941.exe  Infected: Trojan.Win32.Agent.mtm  skipped   C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP428\change.log  Object is locked  skipped   C:\WINDOWS\CSC\00000001  Object is locked  skipped   C:\WINDOWS\Debug\PASSWD.LOG  Object is locked  skipped   C:\WINDOWS\ednb.exe  Infected: Trojan.Win32.Vapsup.fki  skipped   C:\WINDOWS\emxa.exe  Infected: Trojan.Win32.Vapsup.fht  skipped   C:\WINDOWS\gnowmebk.dll  Infected: Trojan.Win32.Vapsup.fnv  skipped   C:\WINDOWS\SchedLgU.Txt  Object is locked  skipped   C:\WINDOWS\system32\CatRoot2\edb.log  Object is locked  skipped   C:\WINDOWS\system32\CatRoot2\tmp.edb  Object is locked  skipped   C:\WINDOWS\system32\config\AppEvent.Evt  Object is locked  skipped   C:\WINDOWS\system32\config\DEFAULT  Object is locked  skipped   C:\WINDOWS\system32\config\default.LOG  Object is locked  skipped   C:\WINDOWS\system32\config\Internet.evt  Object is locked  skipped   C:\WINDOWS\system32\config\SAM  Object is locked  skipped   C:\WINDOWS\system32\config\SAM.LOG  Object is locked  skipped   C:\WINDOWS\system32\config\SecEvent.Evt  Object is locked  skipped   C:\WINDOWS\system32\config\SECURITY  Object is locked  skipped   C:\WINDOWS\system32\config\SECURITY.LOG  Object is locked  skipped   C:\WINDOWS\system32\config\SOFTWARE  Object is locked  skipped   C:\WINDOWS\system32\config\software.LOG  Object is locked  skipped   C:\WINDOWS\system32\config\SysEvent.Evt  Object is locked  skipped   C:\WINDOWS\system32\config\SYSTEM  Object is locked  skipped   C:\WINDOWS\system32\config\system.LOG  Object is locked  skipped   C:\WINDOWS\system32\h323log.txt  Object is locked  skipped   C:\WINDOWS\system32\mlJAqrRh.dll  Infected: Trojan-Downloader.Win32.ConHook.rr  skipped   C:\WINDOWS\system32\pavjob.log  Object is locked  skipped   C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR  Object is locked  skipped   C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP  Object is locked  skipped   C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER  Object is locked  skipped   C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP  Object is locked  skipped   C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP  Object is locked  skipped   C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA  Object is locked  skipped   C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP  Object is locked  skipped   C:\WINDOWS\system32\wgw.dll  Object is locked  skipped   Scan process completed.

main.txt
Run by Jackie on 2008-05-29 08 _linenums:25'>Deckard's System Scanner v20071014.68Run by Jackie on 2008-05-29 08:25:53Computer is in Normal Mode.---------------------------------------------------------------------------------- System Restore --------------------------------------------------------------Successfully created a Deckard's System Scanner Restore Point.-- Last 5 Restore Point(s) --6: 2008-05-29 12:26:03 UTC - RP430 - Deckard's System Scanner Restore Point5: 2008-05-28 22:05:17 UTC - RP429 - System Checkpoint4: 2008-05-27 20:01:23 UTC - RP428 - Installed Ad-Aware3: 2008-05-22 22:41:21 UTC - RP427 - System Checkpoint2: 2008-05-21 16:04:16 UTC - RP426 - System Checkpoint-- First Restore Point -- 1: 2008-05-20 17:04:14 UTC - RP425 - Last known good configurationBacked up registry hives.Performed disk cleanup.Total Physical Memory: 511 MiB (512 MiB recommended).-- HijackThis Clone ------------------------------------------------------------Emulating logfile of Trend Micro HijackThis v2.0.2Scan saved at 2008-05-29 08:27:18Platform: Windows XP Service Pack 2 (5.01.2600)MSIE: Internet Explorer (7.00.6000.16640)Boot mode: NormalRunning processes:C:\WINDOWS\system32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\Program Files\Common Files\Virtual Token\vtserver.exeC:\WINDOWS\system32\ibmpmsvc.exeC:\WINDOWS\system32\ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\S24EvMon.exeC:\Program Files\Lavasoft\Ad-Aware\aawservice.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\ati2evxx.exeC:\WINDOWS\explorer.exeC:\WINDOWS\system32\TpShocks.exeC:\Program Files\Panda Software\Panda Antivirus Platinum\apvxdwin.exeC:\Program Files\Microsoft IntelliType Pro\type32.exeC:\Program Files\Microsoft IntelliPoint\point32.exeC:\Program Files\Synaptics\SynTP\SynTPLpr.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\QuickTime\qttask.exeC:\Program Files\USS\USS.exeC:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\Pavfires.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Panda Software\Panda Antivirus Platinum\Pavsrv51.exeC:\Program Files\Messenger\msmsgs.exeC:\WINDOWS\system32\QCONSVC.EXEC:\Program Files\Spybot - Search & Destroy\TeaTimer.exeC:\Program Files\Panda Software\Panda Antivirus Platinum\Avengine.exeC:\WINDOWS\system32\RegSrvc.exeC:\WINDOWS\system32\TpKmpSvc.exeC:\WINDOWS\system32\wscntfy.exeC:\Program Files\iPod\bin\iPodService.exeC:\Program Files\Panda Software\Panda Antivirus Platinum\Pavproxy.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Documents and Settings\Jackie\Desktop\dss.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url="http://www.google.com/"]http://www.google.com/[/url]R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = [url="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"]http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch[/url]R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [url="http://home.microsoft.com/access/autosearch.asp?p=%s"]http://home.microsoft.com/access/autosearch.asp?p=%s[/url]R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = [url="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"]http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch[/url]O2 - BHO: (no name) - {01CA955B-59E4-4CA6-8405-8BA4D80A56DD} - (no file)O2 - BHO: (no name) - {1AF3B489-9FFB-4253-960F-D5D1090EF2C2} - C:\WINDOWS\system32\khfFYOGX.dll (file missing)O2 - BHO: (no name) - {2BAFA278-737B-4276-ABCD-AACF40B656E1} - C:\WINDOWS\system32\nnnoMGWp.dllO2 - BHO: (no name) - {2C6BB807-FFEF-419A-BDA6-93BD87471CC1} - C:\WINDOWS\system32\ddcCSLCu.dll (file missing)O2 - BHO: (no name) - {4167B170-B9A2-42AA-8452-8F2712868C61} - C:\WINDOWS\system32\pmnoMebX.dll (file missing)O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dllO2 - BHO: (no name) - {56BC7847-1C94-4456-843D-6E66B74926E1} - C:\WINDOWS\system32\xxyyaYQG.dll (file missing)O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dllO2 - BHO: QXK Olive - {698930F0-B033-46DC-82F8-8B6DD6BF84C3} - C:\WINDOWS\boqnrwdmtpe.dll (file missing)O2 - BHO: QXK Olive - {72976A08-625C-41C1-AD59-780F96CC2473} - C:\WINDOWS\nldfmtappdm.dll (file missing)O2 - BHO: QXK Rhythm - {744ED899-9428-4EDB-9658-E5E3272D7D39} - C:\WINDOWS\nldfmtapxqm.dll (file missing)O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar4.dllO2 - BHO: (no name) - {CAA96B69-29C7-49F2-A78C-9EABCD4AFDE8} - C:\WINDOWS\system32\efcYQKEw.dll (file missing)O2 - BHO: (no name) - {DC02BAEA-39EE-42CF-BAF5-65FE64660E27} - C:\WINDOWS\system32\urqNDUnl.dll (file missing)O2 - BHO: (no name) - {EF4CC146-43C9-4741-8D21-EB5035A4EBEC} - C:\WINDOWS\system32\mlJAqrRh.dllO2 - BHO: (no name) - {F50A7216-7374-41F1-A33B-B447FDAC6854} - C:\WINDOWS\system32\hgGabYOh.dll (file missing)O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar4.dllO4 - HKLM\..\Run: [TpShocks] TpShocks.exeO4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Antivirus Platinum\Inicio.exe"O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /sO4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exeO4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [advap32] C:\DOCUME~1\Jackie\LOCALS~1\Temp\stdcons.exe/rO4 - HKLM\..\Run: [SystemDoctor Free] C:\Program Files\System Doctor Free\systemdoc.exe /minO4 - HKLM\..\Run: [USS] "C:\Program Files\USS\USS.exe"O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -kO4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [Regscan] C:\WINDOWS\system32\regscan.exeO4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dllO9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dllO9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO11 - Options Group: [JAVA_IBM] Java (IBM)O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - [url="http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab"]http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab[/url]O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - [url="http://office.microsoft.com/officeupdate/content/opuc2.cab"]http://office.microsoft.com/officeupdate/content/opuc2.cab[/url]O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - [url="http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab"]http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab[/url]O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [url="http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1212005764760"]http://www.update.microsoft.com/microsoftu...b?1212005764760[/url]O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - [url="http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab"]http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab[/url]O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [url="http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab"]http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab[/url]O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - [url="http://cvs.pnimedia.com/upload/activex/v2_0_0_10/PCAXSetupv2.0.0.10.cab"]http://cvs.pnimedia.com/upload/activex/v2_...upv2.0.0.10.cab[/url]?O18 - Protocol: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} - C:\Program Files\Microsoft ActiveSync\aatp.dllO18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLLO18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLLO18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLLO20 - Winlogon Notify: mlJAqrRh - C:\WINDOWS\system32\mlJAqrRh.dllO20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\system32\WinCtrl32.dll (file missing)O21 - SSODL: wlVwrv - {DCB45AF2-761E-F058-C074-7E84B7F0304B} - C:\WINDOWS\system32\wgw.dllO23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exeO23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\ati2evxx.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exeO23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: Panda Firewall Service (PAVFIRES) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\Pavfires.exeO23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus Platinum\Pavsrv51.exeO23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exeO23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\system32\QCONSVC.EXEO23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exeO23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exeO23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSvc.exeO23 - Service: Protector Suite Virtual Token (vtserver) - UPEK Inc. - C:\Program Files\Common Files\Virtual Token\vtserver.exe--End of file - 10977 bytes-- File Associations -----------------------------------------------------------.js - JSFile - shell\open\command - C:\PROGRA~1\PANDAS~1\PANDAA~1\pavscrip.exe "%1" %*.vbs - VBSFile - shell\open\command - C:\PROGRA~1\PANDAS~1\PANDAA~1\pavscrip.exe "%1" %*-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------R0 Shockprf - c:\windows\system32\drivers\shockprf.sys <Not Verified; IBM Corporation; IBM Hard Drive Active Protection System>R0 Teefer (Teefer for NT) - c:\windows\system32\drivers\teefer.sys <Not Verified; Sygate Technologies, Inc.; Sygate Teefer Driver>R1 ANC - c:\windows\system32\drivers\anc.sys <Not Verified; IBM Corp.; IBM Access Connections>R1 IBMTPCHK - c:\windows\system32\drivers\ibmbldid.sysR1 ShockMgr - c:\windows\system32\drivers\shockmgr.sys <Not Verified; IBM Corporation; IBM Hard Drive Active Protection System>R1 Smapint - c:\windows\system32\drivers\smapint.sys <Not Verified; Microsoft Corporation; Microsoft® Windows NT(tm) Operating System>R1 TDSMAPI - c:\windows\system32\drivers\tdsmapi.sysR1 TPHKDRV - c:\windows\system32\drivers\tphkdrv.sys <Not Verified; IBM Corporation; ThinkPad OnScreenDisplay>R1 TPPWR - c:\windows\system32\drivers\tppwr.sys <Not Verified; IBM Corp.; IBM ThinkPad Utility>R1 TSMAPIP - c:\windows\system32\drivers\tsmapip.sysR1 wpsdrvnt - c:\windows\system32\drivers\wpsdrvnt.sys <Not Verified; Sygate Technologies, Inc.; wpsdrvnt>R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.0.0.8) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.0.0.8>R2 EGATHDRV (IBM Access Support) - c:\windows\system32\egathdrv.sys <Not Verified; IBM Corporation; IBM eGatherer>R2 ibmfilter - c:\windows\system32\drivers\ibmfilter.sys <Not Verified; IBM; FFE and RRU>R2 PAVDRV (Panda anti-virus driver) - c:\windows\system32\drivers\pavdrv51.sys <Not Verified; Panda Software; Panda® Antivirus>R2 PMEM - c:\windows\system32\drivers\pmemnt.sys <Not Verified; Microsoft Corporation; Microsoft® Windows NT(tm) Operating System>R2 s24trans (WLAN Transport) - c:\windows\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel Wireless LAN Packet Driver>R2 wg3n (SyGate for NT, wg3n) - c:\windows\system32\drivers\wg3n.sys <Not Verified; Sygate Technologies, Inc.; Sygate WGXN>R3 ComFiltr (Panda Anti-Dialer) - c:\windows\system32\drivers\comfiltr.sys (file missing)S0 lpT83 - c:\windows\system32\drivers\lpt83.sys (file missing)S3 psadd (IBM PSA Access Driver) - c:\windows\system32\drivers\psadd.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>S3 QCNDISIF - c:\windows\system32\drivers\qcndisif.sys <Not Verified; IBM Corporation.; IBM ThinkPad Utility>-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------R2 IBM Rapid Restore Ultra Service - "c:\program files\ibm\ibm rapid restore ultra\rrpcsb.exe" <Not Verified; ; rrpcsb Module>R2 PAVFIRES (Panda Firewall Service) - c:\program files\panda software\panda antivirus platinum\firewall\pavfires.exe <Not Verified; Panda Software; Platinum 7 Pavfires>R2 PAVSRV (Panda anti-virus service) - c:\program files\panda software\panda antivirus platinum\pavsrv51.exe <Not Verified; Panda Software; Panda Antivirus>R2 QCONSVC - system32\qconsvc.exe <Not Verified; IBM Corp.; IBM ThinkPad Utility>R2 RegSrvc - c:\windows\system32\regsrvc.exe <Not Verified; Intel Corporation; RegSrvc Module>R2 TpKmpSVC (IBM KCU Service) - c:\windows\system32\tpkmpsvc.exeR2 vtserver (Protector Suite Virtual Token) - "c:\program files\common files\virtual token\vtserver.exe" <Not Verified; UPEK Inc.; IBM fingerprint software>S3 PsaSrv (IBM PSA Access Driver Control) - c:\windows\system32\psasrv.exe (file missing)-- Device Manager: Disabled ----------------------------------------------------No disabled devices found.-- Scheduled Tasks -------------------------------------------------------------2008-05-28 09:00:00       390 --ah----- C:\WINDOWS\Tasks\{E83A39BC-58F5-45CD-8FB3-5C38F9591C02}_MZB_fpeticca.job2008-05-27 16:00:00       390 --ah----- C:\WINDOWS\Tasks\{41068522-6FBB-41C3-AACA-3FE827AC1FE9}_MZB_fpeticca.job2008-05-16 16:00:00       390 --ah----- C:\WINDOWS\Tasks\{25C16776-D763-43B7-9B93-E61A6D715EB2}_MZB_fpeticca.job2005-04-28 15:26:56       314 --a------ C:\WINDOWS\Tasks\BMMTask.job-- Files created between 2008-04-29 and 2008-05-29 -----------------------------2008-05-28 16:40:54         0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab2008-05-28 16:40:50         0 d-------- C:\WINDOWS\system32\Kaspersky Lab2008-05-28 16:40:48         0 d-------- C:\WINDOWS\LastGood2008-05-28 16:15:09     95232 --a------ C:\WINDOWS\system32\ywgcebss.dll2008-05-28 16:14:26    604899 --ahs---- C:\WINDOWS\system32\pWGMonnn.ini22008-05-28 16:14:21    322816 --a------ C:\WINDOWS\system32\nnnoMGWp.dll2008-05-28 11:11:59    533815 --ahs---- C:\WINDOWS\system32\hOYbaGgh.ini22008-05-28 09:27:20     95744 --a------ C:\WINDOWS\system32\jtvyhekf.dll2008-05-28 08:45:19    533305 --ahs---- C:\WINDOWS\system32\wEKQYcfe.ini22008-05-27 22:46:51     96256 --a------ C:\WINDOWS\system32\avybmfrg.dll2008-05-27 16:01:36         0 d-------- C:\Program Files\Lavasoft2008-05-27 16:01:35         0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft2008-05-27 13:57:12      3248 --a------ C:\WINDOWS\system32\tmp.reg2008-05-26 22:45:24     90112 --a------ C:\WINDOWS\system32\kaypvmhp.dll2008-05-26 22:42:40     90112 --a------ C:\WINDOWS\system32\xrevljqr.dll2008-05-26 22:41:48     81920 --a------ C:\WINDOWS\xmpstean.exe2008-05-26 22:41:48     94208 --a------ C:\WINDOWS\ekel.exe2008-05-23 11:29:12    604848 --ahs---- C:\WINDOWS\system32\lnUDNqru.ini22008-05-23 06:05:47     94208 --a------ C:\WINDOWS\epse.exe2008-05-21 17:44:20     11914 --a------ C:\WINDOWS\system32\drivers\wg3n.sys <Not Verified; Sygate Technologies, Inc.; Sygate WGXN>2008-05-21 17:44:20     55888 --a------ C:\WINDOWS\system32\drivers\Teefer.sys <Not Verified; Sygate Technologies, Inc.; Sygate Teefer Driver>2008-05-21 17:44:18     18515 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys <Not Verified; Sygate Technologies, Inc.; wpsdrvnt>2008-05-21 15:41:09      2247 --ahs---- C:\WINDOWS\system32\uCLSCcdd.ini22008-05-21 15:20:34     90112 --a------ C:\WINDOWS\system32\ernhoxub.dll2008-05-21 14:38:31    780597 --ahs---- C:\WINDOWS\system32\GQYayyxx.ini22008-05-21 13:33:16         0 -rahs---- C:\MSDOS.SYS2008-05-21 12:46:18    688328 --ahs---- C:\WINDOWS\system32\XGOYFfhk.ini22008-05-21 12:25:01     89088 --a------ C:\WINDOWS\system32\glunikmv.dll2008-05-20 15:59:00         0 d-------- C:\!KillBox2008-05-19 16:47:35     94208 --a------ C:\WINDOWS\ednb.exe2008-05-18 09:29:02     81920 --a------ C:\WINDOWS\mdtgkswr.exe2008-05-18 09:29:02    176128 --a------ C:\WINDOWS\gnowmebk.dll2008-05-18 09:29:02    159744 --a------ C:\WINDOWS\esta.exe2008-05-17 13:01:38     62910 --a------ C:\Program Files\Uninstall.exe <Not Verified; $PROGRAMNAME; $PROGRAMNAME>2008-05-17 13:01:38         0 --a------ C:\Program Files\uninstall.dat2008-05-17 12:58:43         0 d-------- C:\Documents and Settings\Jackie\Application Data\WinIFixer.com2008-05-17 12:54:59         0 d-------- C:\Program Files\USS2008-05-17 12:54:39         0 d-------- C:\Documents and Settings\Jackie\Application Data\System Doctor Free2008-05-17 09:58:41         0 dr------- C:\Documents and Settings\All Users\Application Data\SalesMonitor2008-05-17 09:58:20         0 d-------- C:\Documents and Settings\All Users\Application Data\System Doctor Free2008-05-17 08:52:45         0 d-------- C:\Documents and Settings\Jackie\Application Data\AXPDefender2008-05-17 07:53:49    687818 --ahs---- C:\WINDOWS\system32\XbeMonmp.ini22008-05-17 07:51:35         0 d-------- C:\Program Files\AntiSpywareMaster2008-05-17 07:48:50         0 d-------- C:\Documents and Settings\Jackie\Application Data\TmpRecentIcons2008-05-16 22:22:38     29824 --a------ C:\WINDOWS\system32\mlJAqrRh.dll2008-05-16 22:22:29     94208 --a------ C:\WINDOWS\emxa.exe2008-05-16 22:22:22    160256 --a------ C:\WINDOWS\system32\blackster.scr <Not Verified; Peter's Productions; Bugs!>2008-05-08 06:54:18         1 --a------ C:\WINDOWS\system32\kl_done-- Find3M Report ---------------------------------------------------------------2008-05-27 16:00:27         0 d-------- C:\Program Files\Common Files\Wise Installation Wizard2008-05-18 09:04:17         0 d-------- C:\Program Files\Common Files-- Registry Dump ---------------------------------------------------------------*Note* empty entries & legit default entries are not shown[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{01CA955B-59E4-4CA6-8405-8BA4D80A56DD}][HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1AF3B489-9FFB-4253-960F-D5D1090EF2C2}]			C:\WINDOWS\system32\khfFYOGX.dll[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2BAFA278-737B-4276-ABCD-AACF40B656E1}]05/28/2008 16:14	322816	--a------	C:\WINDOWS\system32\nnnoMGWp.dll[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2C6BB807-FFEF-419A-BDA6-93BD87471CC1}]			C:\WINDOWS\system32\ddcCSLCu.dll[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4167B170-B9A2-42AA-8452-8F2712868C61}]			C:\WINDOWS\system32\pmnoMebX.dll[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{56BC7847-1C94-4456-843D-6E66B74926E1}]			C:\WINDOWS\system32\xxyyaYQG.dll[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{698930F0-B033-46DC-82F8-8B6DD6BF84C3}]			C:\WINDOWS\boqnrwdmtpe.dll[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{72976A08-625C-41C1-AD59-780F96CC2473}]			C:\WINDOWS\nldfmtappdm.dll[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{744ED899-9428-4EDB-9658-E5E3272D7D39}]			C:\WINDOWS\nldfmtapxqm.dll[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CAA96B69-29C7-49F2-A78C-9EABCD4AFDE8}]			C:\WINDOWS\system32\efcYQKEw.dll[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DC02BAEA-39EE-42CF-BAF5-65FE64660E27}]			C:\WINDOWS\system32\urqNDUnl.dll[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EF4CC146-43C9-4741-8D21-EB5035A4EBEC}]05/16/2008 22:22	29824	--a------	C:\WINDOWS\system32\mlJAqrRh.dll[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F50A7216-7374-41F1-A33B-B447FDAC6854}]			C:\WINDOWS\system32\hgGabYOh.dll[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"TpShocks"="TpShocks.exe" [03/26/2004 21:16 C:\WINDOWS\system32\TpShocks.exe]"SCANINICIO"="C:\Program Files\Panda Software\Panda Antivirus Platinum\Inicio.exe" [06/18/2003 13:00]"APVXDWIN"="C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.exe" [04/29/2004 15:59]"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [06/03/2004 01:51]"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [06/03/2004 01:50]"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [06/24/2003 14:34]"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [06/24/2003 14:33]"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [10/18/2005 12:58]"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [12/15/2005 11:19]"advap32"="C:\DOCUME~1\Jackie\LOCALS~1\Temp\stdcons.exe/r" []"SystemDoctor Free"="C:\Program Files\System Doctor Free\systemdoc.exe" []"USS"="C:\Program Files\USS\USS.exe" [02/08/2008 14:37]"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" [][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [12/15/2005 11:19]"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 03:56]"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 12:24]"Regscan"="C:\WINDOWS\system32\regscan.exe" []"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43][HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]"NoWindowsUpdate"=0 (0x0)[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]"{EF4CC146-43C9-4741-8D21-EB5035A4EBEC}"= C:\WINDOWS\system32\mlJAqrRh.dll [05/16/2008 22:22 29824][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]"wlVwrv"= {DCB45AF2-761E-F058-C074-7E84B7F0304B} - C:\WINDOWS\system32\wgw.dll [04/16/2007 11:52 32768][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]"System"=" "[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mlJAqrRh] mlJAqrRh.dll 05/16/2008 22:22 29824 C:\WINDOWS\system32\mlJAqrRh.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus] C:\Program Files\IBM fingerprint software\psfus.dll 09/24/2004 19:15 108636 C:\Program Files\IBM fingerprint software\psfus.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina] QConGina.dll 08/18/2004 06:30 258048 C:\WINDOWS\system32\QConGina.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WinCtrl32] WinCtrl32.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]"Authentication Packages"= msv1_0 C:\WINDOWS\system32\nnnoMGWp"Notification Packages"= scecli pwdmon[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1123561945-507921405-1801674531-1139\Scripts\Logoff\0\0]"Script"=logoff.bat[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1123561945-507921405-1801674531-1139\Scripts\Logon\0\0]"Script"=logon.bat[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1123561945-507921405-1801674531-500\Scripts\Logoff\0\0]"Script"=logoff.bat[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1123561945-507921405-1801674531-500\Scripts\Logon\0\0]"Script"=logon.bat[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]@="Service"[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\lpT83.sys]@="Driver"[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]@="Service"[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]@="Volume shadow copy"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnkbackup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnkbackup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\91317234466287321676910413741508]C:\Program Files\XP Antivirus\xpa.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMMGAG]RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMMLREF]C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMMMONWND]rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter]"C:\Program Files\IBM fingerprint software\ctlcntr.exe" /startup[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]C:\WINDOWS\system32\ctfmon.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]C:\WINDOWS\system32\dla\tfswctrl.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EZEJMNAP]C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ibmmessages]C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IBMPRC]C:\IBMTOOLS\UTILS\ibmprc.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]"C:\Program Files\Messenger\msmsgs.exe" /background[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QCTRAY]C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QCWLICON]C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\S3TRAY2]S3Tray2.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TP4EX]tp4ex.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPHOTKEY]C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPKMAPHELPER]C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UC_SMB][HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UC_Start]C:\Program Files\IBM\Updater\\ucstartup.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]"C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinIFixer]C:\Program Files\WinIFixer\WinIFixer.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinSpywareProtect (ver. 5.1)]"C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\WinSpywareProtect.exe" /autorun*Newly Created Service* - COMFILTR-- Hosts -----------------------------------------------------------------------127.0.0.1	www.007guard.com127.0.0.1	007guard.com127.0.0.1	008i.com127.0.0.1	www.008k.com127.0.0.1	008k.com127.0.0.1	www.00hq.com127.0.0.1	00hq.com127.0.0.1	010402.com127.0.0.1	www.032439.com127.0.0.1	032439.com8588 more entries in hosts file.-- End of Deckard's System Scanner: finished at 2008-05-29 08:29:24 ------------

extra.txt
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture _linenums:0'>Deckard's System Scanner v20071014.68Extra logfile - please post this as an attachment with your post.---------------------------------------------------------------------------------- System Information ----------------------------------------------------------Microsoft Windows XP Professional (build 2600) SP 2.0Architecture: X86; Language: EnglishCPU 0: Intel® Pentium® M processor 1.80GHzPercentage of Memory in Use: 78%Physical Memory (total/avail): 510.92 MiB / 107.43 MiBPagefile Memory (total/avail): 1505.46 MiB / 993.43 MiBVirtual Memory (total/avail): 2047.88 MiB / 1902.2 MiBC: is Fixed (NTFS) - 32.79 GiB total, 17.27 GiB free. D: is CDROM (No Media)\\.\PHYSICALDRIVE0 - HTS548040M9AT00 - 37.26 GiB - 2 partitions \PARTITION0 (bootable) - Installable File System - 32.79 GiB - C: \PARTITION1 - Unknown - 4.47 GiB-- Security Center -------------------------------------------------------------AUOptions is scheduled to auto-install.Windows Internal Firewall is enabled.FW: Panda Antivirus Platinum 7 v7.07.02 (Panda Software)AV: Panda Antivirus Platinum 7 v7.07.02 (Panda Software)[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019""C:\\Program Files\\IBM\\Updater\\jre\\bin\\java.exe"="C:\\Program Files\\IBM\\Updater\\jre\\bin\\java.exe:*:Enabled:IBM Update Connector""C:\\Program Files\\IBM\\Updater\\jre\\bin\\javaw.exe"="C:\\Program Files\\IBM\\Updater\\jre\\bin\\javaw.exe:*:Enabled:IBM Update Connector""C:\\Program Files\\IBM\\Updater\\ucsmb.exe"="C:\\Program Files\\IBM\\Updater\\ucsmb.exe:*:Enabled:IBM Update Connector""C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:*:Enabled:ActiveSync Connection Manager""C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:*:Enabled:ActiveSync Application""C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes""%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019""C:\\Program Files\\IBM\\Updater\\jre\\bin\\java.exe"="C:\\Program Files\\IBM\\Updater\\jre\\bin\\java.exe:*:Enabled:IBM Update Connector""C:\\Program Files\\IBM\\Updater\\jre\\bin\\javaw.exe"="C:\\Program Files\\IBM\\Updater\\jre\\bin\\javaw.exe:*:Enabled:IBM Update Connector""C:\\Program Files\\IBM\\Updater\\ucsmb.exe"="C:\\Program Files\\IBM\\Updater\\ucsmb.exe:*:Enabled:IBM Update Connector""%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000""C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"-- Environment Variables -------------------------------------------------------ALLUSERSPROFILE=C:\Documents and Settings\All UsersAPPDATA=C:\Documents and Settings\Jackie\Application DataCLASSPATH=C:\Program Files\IBM\Java141\jre\lib\ext\QTJava.zipCommonProgramFiles=C:\Program Files\Common FilesCOMPUTERNAME=FPETICCALT02ComSpec=C:\WINDOWS\system32\cmd.exeFP_NO_HOST_CHECK=NOHOMEDRIVE=C:HOMEPATH=\Documents and Settings\JackieIBMSHARE=C:\IBMSHARELOGONSERVER=\\FPETICCALT02NUMBER_OF_PROCESSORS=1OS=Windows_NTPath=C:\PROGRAM FILES\THINKPAD\UTILITIES;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\WINDOWS\Downloaded Program Files;C:\IBMTOOLS\Python22;C:\Program Files\PC-Doctor for Windows\services;C:\Program Files\Panda Software\Panda Antivirus Platinum\;C:\Program Files\QuickTime\QTSystem\PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.pyo;.pyc;.py;.pywPROCESSOR_ARCHITECTURE=x86PROCESSOR_IDENTIFIER=x86 Family 6 Model 13 Stepping 6, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=0d06ProgramFiles=C:\Program FilesPROMPT=$P$GPYTHONCASEOK=1PYTHONPATH=C:\IBMTOOLS\utils\support;C:\IBMTOOLS\utils\loggerQTJAVA=C:\Program Files\IBM\Java141\jre\lib\ext\QTJava.zipRRU=C:\Program Files\IBM\IBM Rapid Restore Ultra\SESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WINDOWSTCL_LIBRARY=C:\IBMTOOLS\Python22\tcl\tcl8.4TEMP=C:\DOCUME~1\Jackie\LOCALS~1\TempTK_LIBRARY=C:\IBMTOOLS\Python22\tcl\tk8.4TMP=C:\DOCUME~1\Jackie\LOCALS~1\TempUSERDOMAIN=FPETICCALT02USERNAME=JackieUSERPROFILE=C:\Documents and Settings\Jackiewindir=C:\WINDOWS-- User Profiles ---------------------------------------------------------------fpeticca (admin)administrator.MZB (admin)Frank (admin)Jackie (admin)fpeticca.FPETICCALT02 (admin)Administrator (admin)-- Add/Remove Programs --------------------------------------------------------- --> "C:\Program Files\Uninstall.exe" --> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu --> C:\WINDOWS\system32\\MSIEXEC.EXE /I {09DA4F91-2A09-4232-AB8C-6BC740096DE3} REMOVE=UpdateMgrFeature --> C:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6} --> C:\WINDOWS\system32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19} --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{39DA87A1-0B26-4562-A70C-2A6147366E47}\Setup.exe" --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\SETUP.EXE" -l0x9 ControlPanelAnyText --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9F765BD0-B900-4EDE-A90B-61C8A9E95C42}\Setup.exe" --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BAD59025-5B73-4E12-B789-0028C5A573C2}\Setup.exe" --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E646DCF0-5A68-11D5-B229-002078017FBF}\SETUP.EXE" -l0x9 ControlPanel --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.infAccess IBM --> MsiExec.exe /X{EC6AF20D-4376-4070-BEE4-D3A0DFF7E140}Access IBM Message Center --> MsiExec.exe /X{F413B3A4-EE5D-457C-BAE5-6E58D9589ED5}Ad-Aware --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlockAdobe Reader 7.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000}ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exeATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe" ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -cleanATI HYDRAVISION --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3EA9D975-BFDC-4E8E-B88B-0446FBC8CA66}\setup.exe" Atmel Tpm Install 2.1.1.01 --> MsiExec.exe /X{7AD4D6E7-CF00-4299-A8BF-EED77E37770E}Battery Pack Pro (Pocket PC) from Omega One --> c:\Program Files\Omega One\BPP\setup.exe -uGoogle Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar4.dll"HP Product Detection --> MsiExec.exe /I{CAE7D1D9-3794-4169-B4DD-964ADBC534EE}IBM 32-bit Runtime Environment for Java 2, v1.4.1 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{6C72E14A-C1F3-45E5-8810-83CE3C19ED63} /l1033 IBM Access Connections --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{22B71A00-4DED-11D4-A5E5-0004AC564F43}\SETUP.EXE" -l0x9 anythingIBM Active Protection System --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{72806716-7088-41B2-8FA6-717A2A164DAB}\SETUP.EXE" -l0x9 anythingIBM DLA --> MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}IBM Integrated 56K Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_8086&DEV_24C6&SUBSYS_05591014\HXFSETUP.EXE -U -IIBM0559K.INFIBM RecordNow! --> MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19}IBM Rescue and Recovery with Rapid Restore --> MsiExec.exe /X{11783F13-C3A9-44A8-929B-21A476F65272}IBM Themes --> MsiExec.exe /I{6CE96A14-61E2-48CC-837E-22710A953ADE}IBM ThinkPad Battery MaxiMiser and Power Management Features --> C:\WINDOWS\IsUninst.exe -fC:\PROGRA~1\ThinkPad\UTILIT~1\Unbmm.isu -c"C:\Program Files\ThinkPad\Utilities\Tpinsbmm.dll"IBM ThinkPad Configuration --> C:\WINDOWS\IsUninst.exe -fC:\PROGRA~1\ThinkPad\UTILIT~1\UNTPUW.ISU -c"C:\Program Files\ThinkPad\Utilities\Tpinswin.dll"IBM ThinkPad EasyEject Utility --> C:\WINDOWS\IsUninst.exe -fC:\PROGRA~1\ThinkPad\UTILIT~1\Unezej.isu -c"C:\Program Files\ThinkPad\Utilities\Tpinsej.dll"IBM ThinkPad Keyboard Customizer Utility --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2111B23F-7FDA-4A41-8309-E5A1663CA296}\SETUP.EXE" -l0x9 anythingIBM ThinkPad Power Management Driver --> RunDll32.exe tpinspm.dll,UninstallIBM ThinkPad Presentation Director --> C:\WINDOWS\IsUninst.exe -fC:\PROGRA~1\ThinkPad\UTILIT~1\UNNPDR.isu -c"C:\Program Files\ThinkPad\Utilities\Tpinsnpd.dll"IBM ThinkPad UltraNav Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstallIBM ThinkPad UltraNav Wizard --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{82512BC9-BD5D-4C50-BE4D-B98E7DF78687}\SETUP.EXE" UNINSTALLIBM ThinkVantage Technologies Welcome Message --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1007F41F-7D69-468E-8017-3849A5A973C2}\SETUP.EXE" -l0x9 anythingIBM TrackPoint Accessibility Features --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EA664480-3844-11D5-8C25-444553540000}\SETUP.EXE" IBM Update Connector --> MsiExec.exe /X{8D815BF3-2399-459C-B121-49373FEFB9E8}Intel® PRO Network Adapters and Drivers --> Prounstl.exeIntel® Sebring API --> MsiExec.exe /I{56373057-E823-4DDE-98C3-E89AEF7895B8}InterVideo WinDVD --> "C:\Program Files\InstallShield Installation Information\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}\setup.exe" REMOVEALLiTunes --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{872653C6-5DDC-488B-B7C2-CF9E4D9335E5} /l1033 Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exeMicrosoft ActiveSync 3.8 --> "C:\WINDOWS\ISUNINST.EXE" -f"C:\Program Files\Microsoft ActiveSync\DeIsL1.isu" -c"C:\Program Files\Microsoft ActiveSync\ceuninst.dll"Microsoft Office Standard Edition 2003 --> MsiExec.exe /I{90120409-6000-11D3-8CFE-0150048383C9}Panda Antivirus Platinum --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E91563B4-D9EC-11D5-A2BB-00606771B69D}\setup.exe" PC-Doctor for Windows --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1F7CCFA3-D926-4882-B2A5-A0217ED25597}\Setup.exe" Pocket Informant Pro 2005 Rev 3 --> C:\Program Files\Pocket Informant\uninst.exeQuicken 2007 --> MsiExec.exe /X{0D2E80C8-0875-43EB-9623-47118E2DFBCA}QuickTime --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{3868A8EE-5051-4DB0-8DF6-4F4B8A98D083} /l1033 Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"Sonic Update Manager --> MsiExec.exe /I{09DA4F91-2A09-4232-AB8C-6BC740096DE3}Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"ThinkPad FullScreen Magnifier --> RunDll32 setupapi.dll,InstallHinfSection DefaultUninstall.NT 132 C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.infThinkPad Software Installer --> _tpiu000.exe /UUSS_DC_AM_Plugin 1.0.4.0 --> "C:\Program Files\USS\unins000.exe"USS_USSDC 1.0.4.0 --> "C:\Program Files\USS\{20CF7FD9-6C26-450b-BC5B-B4AD67438A26}\unins000.exe"Wallpapers --> MsiExec.exe /I{F386C340-DF4B-4BBA-9503-420FB7EDB395}Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"WorldMate Pro for Pocket PC --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E6729EAA-9868-4BAF-910E-33D05717371D}\Setup.exe" -l0x9 WorldMate® 2006 Professional Edition for Pocket PC --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DA3982E6-D660-4E8D-88D4-6FF2068241E0}\Setup.exe" -l0x9 -- Application Event Log -------------------------------------------------------Event Record #/Type2955 / WarningEvent Submitted/Written: 05/27/2008 03:44:52 PMEvent ID/Source: 1524 / UserenvEvent Description:Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.Event Record #/Type2945 / ErrorEvent Submitted/Written: 05/27/2008 01:39:35 PMEvent ID/Source: 1000 / Application ErrorEvent Description:Faulting application iexplore.exe, version 7.0.6000.16640, faulting module comctl32.dll, version 5.82.2900.2982, fault address 0x00014808.Processing media-specific event for [iexplore.exe!ws!]Event Record #/Type2944 / ErrorEvent Submitted/Written: 05/27/2008 01:34:30 PMEvent ID/Source: 1000 / Application ErrorEvent Description:Faulting application pavjobs.exe, version 2.12.0.0, faulting module unknown, version 0.0.0.0, fault address 0x35cd140a.Processing media-specific event for [pavjobs.exe!ws!]Event Record #/Type2943 / ErrorEvent Submitted/Written: 05/27/2008 01:09:40 PMEvent ID/Source: 1000 / Application ErrorEvent Description:Faulting application iexplore.exe, version 7.0.6000.16640, faulting module comctl32.dll, version 5.82.2900.2982, fault address 0x00014808.Processing media-specific event for [iexplore.exe!ws!]Event Record #/Type2923 / ErrorEvent Submitted/Written: 05/23/2008 07:26:36 AMEvent ID/Source: 1000 / Application ErrorEvent Description:Faulting application iexplore.exe, version 7.0.6000.16640, faulting module comctl32.dll, version 5.82.2900.2982, fault address 0x00014808.Processing media-specific event for [iexplore.exe!ws!]-- Security Event Log ----------------------------------------------------------No Errors/Warnings found.-- System Event Log ------------------------------------------------------------Event Record #/Type41738 / WarningEvent Submitted/Written: 05/29/2008 06:09:09 AMEvent ID/Source: 36 / W32TimeEvent Description:The time service has not been able to synchronize the system timefor 49152 seconds because none of the time providers has been able toprovide a usable time stamp. The system clock is unsynchronized.Event Record #/Type41667 / ErrorEvent Submitted/Written: 05/28/2008 04:17:58 PMEvent ID/Source: 10005 / DCOMEvent Description:DCOM got error "%%1058" attempting to start the service wuauserv with arguments ""in order to run the server:{E60687F7-01A1-40AA-86AC-DB1CBF673334}Event Record #/Type41666 / ErrorEvent Submitted/Written: 05/28/2008 04:17:58 PMEvent ID/Source: 10005 / DCOMEvent Description:DCOM got error "%%1058" attempting to start the service wuauserv with arguments ""in order to run the server:{E60687F7-01A1-40AA-86AC-DB1CBF673334}Event Record #/Type41665 / ErrorEvent Submitted/Written: 05/28/2008 04:16:01 PMEvent ID/Source: 10005 / DCOMEvent Description:DCOM got error "%%1058" attempting to start the service wuauserv with arguments ""in order to run the server:{E60687F7-01A1-40AA-86AC-DB1CBF673334}Event Record #/Type41664 / ErrorEvent Submitted/Written: 05/28/2008 04:15:52 PMEvent ID/Source: 10005 / DCOMEvent Description:DCOM got error "%%1058" attempting to start the service wuauserv with arguments ""in order to run the server:{E60687F7-01A1-40AA-86AC-DB1CBF673334}-- End of Deckard's System Scanner: finished at 2008-05-29 08:29:24 ------------


BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:04:50 PM

Posted 30 May 2008 - 09:15 AM

Hello jso113 and welcome to BC. Let's see what se can find. Please follow the steps below in order:

Before running a new scan let's clean out the temporary folders.

Download ATF Cleaner to your Desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:
  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:
  • Click Opera at the top and choose Select All from the list.
  • Close ALL Internet browsers (very important).
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Now download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • In the Drivers section click on Non-Microsoft.
  • Under Additional Scans click the checkboxes in front of the following items to select them:
    • Reg - BotCheck
      Reg - Software Policy Settings
      File - Additional Folder Scans
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  • Save the file to your desktop or other location where you can find it back.
Use the Add Reply button and attach the file in your next post (do not try to copy/paste it into the post).

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 jso113

jso113
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:50 PM

Posted 30 May 2008 - 01:17 PM

OldTimer,

Thanks for your reply! I did as instructed and have attached the OTScanIt.txt to this thread.

Attached Files



#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:04:50 PM

Posted 30 May 2008 - 02:32 PM

Hi jso113. Ok, let's clean some of this up. Follow the steps below in order:

First we need to disable TeaTimer so it does not interfere with the changes we are going to make.
  • Start Spybot-S&D.
  • Go to the Mode menu, and make sure Advanced Mode is selected.
  • On the left hand side, choose Tools and then click on Resident.
  • Uncheck Resident TeaTimer and choose OK for any further prompts.
  • Restart your computer.
Step #1

Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
%systemroot%\ednb.exe
%systemroot%\ekel.exe
%systemroot%\emxa.exe
%systemroot%\epse.exe
%systemroot%\esta.exe
%systemroot%\gnowmebk.dll
%systemroot%\mdtgkswr.exe
%systemroot%\system32\avybmfrg.dll
%systemroot%\system32\buxohnre.ini
%systemroot%\system32\cocnsnjp.ini
%systemroot%\system32\ernhoxub.dll
%systemroot%\system32\fkehyvtj.ini
%systemroot%\system32\glunikmv.dll
%systemroot%\system32\gqyayyxx.ini
%systemroot%\system32\gqyayyxx.ini2
%systemroot%\system32\grfmbyva.ini
%systemroot%\system32\hfmkplds.ini
%systemroot%\system32\hoybaggh.ini
%systemroot%\system32\hoybaggh.ini2
%systemroot%\system32\jtvyhekf.dll
%systemroot%\system32\kaypvmhp.dll
%systemroot%\system32\kl_done
%systemroot%\system32\krkvursw.ini
%systemroot%\system32\llvffpdk.ini
%systemroot%\system32\lnudnqru.ini
%systemroot%\system32\lnudnqru.ini2
%systemroot%\system32\mljaqrrh.dll
%systemroot%\system32\moxbrvyt.ini
%systemroot%\system32\nbrstheu.ini
%systemroot%\system32\nnnomgwp.dll
%systemroot%\system32\phmvpyak.ini
%systemroot%\system32\pwgmonnn.ini
%systemroot%\system32\pwgmonnn.ini2
%systemroot%\system32\rqjlverx.ini
%systemroot%\system32\scui.cpl
%systemroot%\system32\ssbecgwy.ini
%systemroot%\system32\tyvrbxom.dll
%systemroot%\system32\uclsccdd.ini
%systemroot%\system32\uclsccdd.ini2
%systemroot%\system32\vmkinulg.ini
%systemroot%\system32\wekqycfe.ini
%systemroot%\system32\wekqycfe.ini2
%systemroot%\system32\wgvyokot.ini
%systemroot%\system32\wgw.dll
%systemroot%\system32\xbemonmp.ini
%systemroot%\system32\xbemonmp.ini2
%systemroot%\system32\xgoyffhk.ini
%systemroot%\system32\xgoyffhk.ini2
%systemroot%\system32\xrevljqr.dll
%systemroot%\system32\ywgcebss.dll
%systemroot%\tasks\{25c16776-d763-43b7-9b93-e61a6d715eb2}_mzb_fpeticca.job
%systemroot%\tasks\{41068522-6fbb-41c3-aaca-3fe827ac1fe9}_mzb_fpeticca.job
%systemroot%\tasks\{e83a39bc-58f5-45cd-8fb3-5c38f9591c02}_mzb_fpeticca.job
%systemroot%\xmpstean.exe
c:\documents and settings\all users\application data\microsoft\network\downloader\qmgr0.dat
c:\documents and settings\all users\application data\microsoft\network\downloader\qmgr1.dat
Folders to delete:
%allusersprofile%\application data\system doctor free
%appdata%\axpdefender
%appdata%\system doctor free
%appdata%\winifixer.com
%programfiles%\antispywaremaster

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Now, start The Avenger program by clicking on its icon on your desktop.
  • Click in the window labeled Input Scrupt Here and paste the text copied to the clipboard into it by pressing (Ctrl+V).
  • Click the Execute button
  • Answer "Yes" twice when prompted.
The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
Step #2

Start OTScanIt. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Kill Explorer]
[Unregister Dlls]
[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> advap32 -> [C:\DOCUME~1\Jackie\LOCALS~1\Temp\stdcons.exe/r]
YN -> SystemDoctor Free -> %ProgramFiles%\System Doctor Free\systemdoc.exe [C:\Program Files\System Doctor Free\systemdoc.exe /min]
< Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> Regscan -> %SystemRoot%\system32\regscan.exe [C:\WINDOWS\system32\regscan.exe]
< SSODL [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
YY -> {DCB45AF2-761E-F058-C074-7E84B7F0304B} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\wgw.dll [wlVwrv]
< ShellExecuteHooks [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
YY -> {EF4CC146-43C9-4741-8D21-EB5035A4EBEC} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\mlJAqrRh.dll []
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
*System* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\System
YN -> ~EmptyValue -> .
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
YY -> mlJAqrRh -> %SystemRoot%\system32\mlJAqrRh.dll
YN -> WinCtrl32 -> WinCtrl32.dll
< CurrentVersion Policy Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\
YN -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\\NoWindowsUpdate -> 0
YN -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\NoControlPanel -> 0
< CurrentVersion Policy Settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\WindowsUpdate\\DisableWindowsUpdateAccess -> 0
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {01CA955B-59E4-4CA6-8405-8BA4D80A56DD} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YY -> {0B04BE02-C176-4EB9-8C15-2775DBDE0133} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\nnnoMGWp.dll [Reg Error: Value  does not exist or could not be read.]
YN -> {1AF3B489-9FFB-4253-960F-D5D1090EF2C2} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\khfFYOGX.dll [Reg Error: Value  does not exist or could not be read.]
YN -> {2C6BB807-FFEF-419A-BDA6-93BD87471CC1} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\ddcCSLCu.dll [Reg Error: Value  does not exist or could not be read.]
YN -> {4167B170-B9A2-42AA-8452-8F2712868C61} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\pmnoMebX.dll [Reg Error: Value  does not exist or could not be read.]
YN -> {56BC7847-1C94-4456-843D-6E66B74926E1} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\xxyyaYQG.dll [Reg Error: Value  does not exist or could not be read.]
YN -> {698930F0-B033-46DC-82F8-8B6DD6BF84C3} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\boqnrwdmtpe.dll [QXK Olive]
YN -> {72976A08-625C-41C1-AD59-780F96CC2473} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\nldfmtappdm.dll [QXK Olive]
YN -> {744ED899-9428-4EDB-9658-E5E3272D7D39} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\nldfmtapxqm.dll [QXK Rhythm]
YN -> {CAA96B69-29C7-49F2-A78C-9EABCD4AFDE8} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\efcYQKEw.dll [Reg Error: Value  does not exist or could not be read.]
YN -> {DC02BAEA-39EE-42CF-BAF5-65FE64660E27} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\urqNDUnl.dll [Reg Error: Value  does not exist or could not be read.]
YY -> {EF4CC146-43C9-4741-8D21-EB5035A4EBEC} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\mlJAqrRh.dll [Reg Error: Value  does not exist or could not be read.]
YN -> {F50A7216-7374-41F1-A33B-B447FDAC6854} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\hgGabYOh.dll [Reg Error: Value  does not exist or could not be read.]
< Internet Explorer Bars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
YN -> {32683183-48a0-441b-a342-7c2a440a9478} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
[Registry - Additional Scans - Non-Microsoft Only]
< BotCheck > -> 
*Authentication Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages
YY -> C:\WINDOWS\system32\nnnoMGWp -> %SystemRoot%\system32\nnnoMGWp.dll
< BotCheck > -> 
[Files/Folders - Created Within 30 days]
NY -> avybmfrg.dll -> %SystemRoot%\System32\avybmfrg.dll
NY -> buxohnre.ini -> %SystemRoot%\System32\buxohnre.ini
NY -> cocnsnjp.ini -> %SystemRoot%\System32\cocnsnjp.ini
NY -> ernhoxub.dll -> %SystemRoot%\System32\ernhoxub.dll
NY -> fkehyvtj.ini -> %SystemRoot%\System32\fkehyvtj.ini
NY -> glunikmv.dll -> %SystemRoot%\System32\glunikmv.dll
NY -> GQYayyxx.ini -> %SystemRoot%\System32\GQYayyxx.ini
NY -> GQYayyxx.ini2 -> %SystemRoot%\System32\GQYayyxx.ini2
NY -> grfmbyva.ini -> %SystemRoot%\System32\grfmbyva.ini
NY -> hfmkplds.ini -> %SystemRoot%\System32\hfmkplds.ini
NY -> hOYbaGgh.ini -> %SystemRoot%\System32\hOYbaGgh.ini
NY -> hOYbaGgh.ini2 -> %SystemRoot%\System32\hOYbaGgh.ini2
NY -> jtvyhekf.dll -> %SystemRoot%\System32\jtvyhekf.dll
NY -> 2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> kaypvmhp.dll -> %SystemRoot%\System32\kaypvmhp.dll
NY -> krkvursw.ini -> %SystemRoot%\System32\krkvursw.ini
NY -> llvffpdk.ini -> %SystemRoot%\System32\llvffpdk.ini
NY -> lnUDNqru.ini -> %SystemRoot%\System32\lnUDNqru.ini
NY -> lnUDNqru.ini2 -> %SystemRoot%\System32\lnUDNqru.ini2
NY -> mlJAqrRh.dll -> %SystemRoot%\System32\mlJAqrRh.dll
NY -> moxbrvyt.ini -> %SystemRoot%\System32\moxbrvyt.ini
NY -> nbrstheu.ini -> %SystemRoot%\System32\nbrstheu.ini
NY -> nnnoMGWp.dll -> %SystemRoot%\System32\nnnoMGWp.dll
NY -> phmvpyak.ini -> %SystemRoot%\System32\phmvpyak.ini
NY -> pWGMonnn.ini -> %SystemRoot%\System32\pWGMonnn.ini
NY -> pWGMonnn.ini2 -> %SystemRoot%\System32\pWGMonnn.ini2
NY -> rqjlverx.ini -> %SystemRoot%\System32\rqjlverx.ini
NY -> scui.cpl -> %SystemRoot%\System32\scui.cpl
NY -> ssbecgwy.ini -> %SystemRoot%\System32\ssbecgwy.ini
NY -> tyvrbxom.dll -> %SystemRoot%\System32\tyvrbxom.dll
NY -> uCLSCcdd.ini -> %SystemRoot%\System32\uCLSCcdd.ini
NY -> uCLSCcdd.ini2 -> %SystemRoot%\System32\uCLSCcdd.ini2
NY -> vmkinulg.ini -> %SystemRoot%\System32\vmkinulg.ini
NY -> wEKQYcfe.ini -> %SystemRoot%\System32\wEKQYcfe.ini
NY -> wEKQYcfe.ini2 -> %SystemRoot%\System32\wEKQYcfe.ini2
NY -> wgvyokot.ini -> %SystemRoot%\System32\wgvyokot.ini
NY -> XbeMonmp.ini -> %SystemRoot%\System32\XbeMonmp.ini
NY -> XbeMonmp.ini2 -> %SystemRoot%\System32\XbeMonmp.ini2
NY -> XGOYFfhk.ini -> %SystemRoot%\System32\XGOYFfhk.ini
NY -> XGOYFfhk.ini2 -> %SystemRoot%\System32\XGOYFfhk.ini2
NY -> xrevljqr.dll -> %SystemRoot%\System32\xrevljqr.dll
NY -> ywgcebss.dll -> %SystemRoot%\System32\ywgcebss.dll
NY -> ednb.exe -> %SystemRoot%\ednb.exe
NY -> ekel.exe -> %SystemRoot%\ekel.exe
NY -> emxa.exe -> %SystemRoot%\emxa.exe
NY -> epse.exe -> %SystemRoot%\epse.exe
NY -> 1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY -> esta.exe -> %SystemRoot%\esta.exe
NY -> gnowmebk.dll -> %SystemRoot%\gnowmebk.dll
NY -> mdtgkswr.exe -> %SystemRoot%\mdtgkswr.exe
NY -> xmpstean.exe -> %SystemRoot%\xmpstean.exe
[Files Created - Additional Folder Scans - Non-Microsoft Only]
NY -> AntiSpywareMaster -> %ProgramFiles%\AntiSpywareMaster
[Files/Folders - Modified Within 30 days]
NY -> avybmfrg.dll -> %SystemRoot%\System32\avybmfrg.dll
NY -> buxohnre.ini -> %SystemRoot%\System32\buxohnre.ini
NY -> 2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> cocnsnjp.ini -> %SystemRoot%\System32\cocnsnjp.ini
NY -> ernhoxub.dll -> %SystemRoot%\System32\ernhoxub.dll
NY -> fkehyvtj.ini -> %SystemRoot%\System32\fkehyvtj.ini
NY -> glunikmv.dll -> %SystemRoot%\System32\glunikmv.dll
NY -> GQYayyxx.ini -> %SystemRoot%\System32\GQYayyxx.ini
NY -> GQYayyxx.ini2 -> %SystemRoot%\System32\GQYayyxx.ini2
NY -> grfmbyva.ini -> %SystemRoot%\System32\grfmbyva.ini
NY -> hfmkplds.ini -> %SystemRoot%\System32\hfmkplds.ini
NY -> hOYbaGgh.ini -> %SystemRoot%\System32\hOYbaGgh.ini
NY -> hOYbaGgh.ini2 -> %SystemRoot%\System32\hOYbaGgh.ini2
NY -> jtvyhekf.dll -> %SystemRoot%\System32\jtvyhekf.dll
NY -> kaypvmhp.dll -> %SystemRoot%\System32\kaypvmhp.dll
NY -> kl_done -> %SystemRoot%\System32\kl_done
NY -> krkvursw.ini -> %SystemRoot%\System32\krkvursw.ini
NY -> llvffpdk.ini -> %SystemRoot%\System32\llvffpdk.ini
NY -> lnUDNqru.ini -> %SystemRoot%\System32\lnUDNqru.ini
NY -> lnUDNqru.ini2 -> %SystemRoot%\System32\lnUDNqru.ini2
NY -> mlJAqrRh.dll -> %SystemRoot%\System32\mlJAqrRh.dll
NY -> moxbrvyt.ini -> %SystemRoot%\System32\moxbrvyt.ini
NY -> nbrstheu.ini -> %SystemRoot%\System32\nbrstheu.ini
NY -> nnnoMGWp.dll -> %SystemRoot%\System32\nnnoMGWp.dll
NY -> phmvpyak.ini -> %SystemRoot%\System32\phmvpyak.ini
NY -> pWGMonnn.ini -> %SystemRoot%\System32\pWGMonnn.ini
NY -> pWGMonnn.ini2 -> %SystemRoot%\System32\pWGMonnn.ini2
NY -> rqjlverx.ini -> %SystemRoot%\System32\rqjlverx.ini
NY -> scui.cpl -> %SystemRoot%\System32\scui.cpl
NY -> ssbecgwy.ini -> %SystemRoot%\System32\ssbecgwy.ini
NY -> tyvrbxom.dll -> %SystemRoot%\System32\tyvrbxom.dll
NY -> uCLSCcdd.ini -> %SystemRoot%\System32\uCLSCcdd.ini
NY -> uCLSCcdd.ini2 -> %SystemRoot%\System32\uCLSCcdd.ini2
NY -> vmkinulg.ini -> %SystemRoot%\System32\vmkinulg.ini
NY -> wEKQYcfe.ini -> %SystemRoot%\System32\wEKQYcfe.ini
NY -> wEKQYcfe.ini2 -> %SystemRoot%\System32\wEKQYcfe.ini2
NY -> wgvyokot.ini -> %SystemRoot%\System32\wgvyokot.ini
NY -> XbeMonmp.ini -> %SystemRoot%\System32\XbeMonmp.ini
NY -> XbeMonmp.ini2 -> %SystemRoot%\System32\XbeMonmp.ini2
NY -> XGOYFfhk.ini -> %SystemRoot%\System32\XGOYFfhk.ini
NY -> XGOYFfhk.ini2 -> %SystemRoot%\System32\XGOYFfhk.ini2
NY -> xrevljqr.dll -> %SystemRoot%\System32\xrevljqr.dll
NY -> ywgcebss.dll -> %SystemRoot%\System32\ywgcebss.dll
NY -> 1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY -> ednb.exe -> %SystemRoot%\ednb.exe
NY -> ekel.exe -> %SystemRoot%\ekel.exe
NY -> emxa.exe -> %SystemRoot%\emxa.exe
NY -> epse.exe -> %SystemRoot%\epse.exe
NY -> esta.exe -> %SystemRoot%\esta.exe
NY -> gnowmebk.dll -> %SystemRoot%\gnowmebk.dll
NY -> mdtgkswr.exe -> %SystemRoot%\mdtgkswr.exe
NY -> xmpstean.exe -> %SystemRoot%\xmpstean.exe
NY -> {25C16776-D763-43B7-9B93-E61A6D715EB2}_MZB_fpeticca.job -> %SystemRoot%\tasks\{25C16776-D763-43B7-9B93-E61A6D715EB2}_MZB_fpeticca.job
NY -> {41068522-6FBB-41C3-AACA-3FE827AC1FE9}_MZB_fpeticca.job -> %SystemRoot%\tasks\{41068522-6FBB-41C3-AACA-3FE827AC1FE9}_MZB_fpeticca.job
NY -> {E83A39BC-58F5-45CD-8FB3-5C38F9591C02}_MZB_fpeticca.job -> %SystemRoot%\tasks\{E83A39BC-58F5-45CD-8FB3-5C38F9591C02}_MZB_fpeticca.job
NY -> qmgr0.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
NY -> qmgr1.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
[Files Modified - Additional Folder Scans - Non-Microsoft Only]
NY -> System Doctor Free -> %AllUsersProfile%\Application Data\System Doctor Free
NY -> AXPDefender -> %AppData%\AXPDefender
NY -> System Doctor Free -> %AppData%\System Doctor Free
NY -> WinIFixer.com -> %AppData%\WinIFixer.com
[Extra Registry Entries]
HKEY_CURRENT_USER\Software\AntiSpywareMaster  -> 
HKEY_CURRENT_USER\Software\{5222008A-DD62-49c7-A735-7BD18ECC7350}  -> 
[Empty Temp Folders]
[Start Explorer]

The fix should only take a very short time. When the fix is completed a message box will popup either telling you that it is finished, or that a reboot is needed to complete the fix. If the fix is complete, click the Ok button and Notepad will open with a log of actions taken during the fix. Post that log back here in your next reply.
If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt will finish moving any files that could not be moved during the fix and NotePad will open with the final results at that time. Post that log back here in your next reply.

Step #3

Now let's run an online virus scan. Both of these require Internet Explorer. Try F-Secure first. Sometimes it doesn't play nice with other system components so if it cannot complete then try the Kaspersky scan. You only need to complete one of the two.

Run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!
  • Click on Online Services and then Online Scanner
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.
If the F-Secure scan did not work then try an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
      • Extended (if available otherwise Standard)
    • Scan Options:Scan Archives
      Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • The program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
  • Click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Step #4

Run a new OTScanIt scan with the following options

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program.
  • Just use the default settings.
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Step #5

Post the following back here by copy/pasting them into the reply:
  • The Avenger report (c:\Avenger.txt)
  • The latest OTScanIt fix log (look in the OTScanIt folder for the MovedFiles folder. In that folder will be a file with a name in the form of mmddyyyy_hhmmss.log for month, day, year, hours, minutes, and seconds that the scan was run. )
  • The online virus scan report (whichever one you ran)
Attach the following back here in the reply:
  • The new OTScanIt scan log
I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#5 jso113

jso113
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:50 PM

Posted 02 June 2008 - 10:16 AM

OldTimer,

I ran the Avenger script with no problem. However, after my computer restarted and I ran OTScanIt.exe with the script provided, I got the following error:

Otscanit
Access violation at address 004B2767 in module 'OTScanIt.exe'. Read of address 0000658C.

I clicked OK but since Explorer did not start back up, I had to Ctrl-Alt-Del to restart the computer. I went ahead and did the rest of the steps anyway. I did both the F-Secure Online Scan and Kaspersky Online Scan, which you will find pasted here after the Avenger.txt and the OTScanIt Fix Log.

I am having trouble attaching the OTScanIt Scan Log (OTScanIt.txt). It seems that I have already used up my 450k of my 512k allotment...should I paste in the results in a new reply?


Avenger.txt

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: file "C:\WINDOWS\ednb.exe" not found!
Deletion of file "C:\WINDOWS\ednb.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\ekel.exe" not found!
Deletion of file "C:\WINDOWS\ekel.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\emxa.exe" not found!
Deletion of file "C:\WINDOWS\emxa.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\epse.exe" not found!
Deletion of file "C:\WINDOWS\epse.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\esta.exe" not found!
Deletion of file "C:\WINDOWS\esta.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\gnowmebk.dll" not found!
Deletion of file "C:\WINDOWS\gnowmebk.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\mdtgkswr.exe" not found!
Deletion of file "C:\WINDOWS\mdtgkswr.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\avybmfrg.dll" not found!
Deletion of file "C:\WINDOWS\system32\avybmfrg.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\buxohnre.ini" not found!
Deletion of file "C:\WINDOWS\system32\buxohnre.ini" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\cocnsnjp.ini" not found!
Deletion of file "C:\WINDOWS\system32\cocnsnjp.ini" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\ernhoxub.dll" not found!
Deletion of file "C:\WINDOWS\system32\ernhoxub.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\fkehyvtj.ini" not found!
Deletion of file "C:\WINDOWS\system32\fkehyvtj.ini" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\glunikmv.dll" not found!
Deletion of file "C:\WINDOWS\system32\glunikmv.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\gqyayyxx.ini" not found!
Deletion of file "C:\WINDOWS\system32\gqyayyxx.ini" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\gqyayyxx.ini2" not found!
Deletion of file "C:\WINDOWS\system32\gqyayyxx.ini2" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\grfmbyva.ini" not found!
Deletion of file "C:\WINDOWS\system32\grfmbyva.ini" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\hfmkplds.ini" not found!
Deletion of file "C:\WINDOWS\system32\hfmkplds.ini" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\hoybaggh.ini" not found!
Deletion of file "C:\WINDOWS\system32\hoybaggh.ini" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\hoybaggh.ini2" not found!
Deletion of file "C:\WINDOWS\system32\hoybaggh.ini2" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\jtvyhekf.dll" not found!
Deletion of file "C:\WINDOWS\system32\jtvyhekf.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\kaypvmhp.dll" not found!
Deletion of file "C:\WINDOWS\system32\kaypvmhp.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\kl_done" not found!
Deletion of file "C:\WINDOWS\system32\kl_done" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\krkvursw.ini" not found!
Deletion of file "C:\WINDOWS\system32\krkvursw.ini" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\llvffpdk.ini" not found!
Deletion of file "C:\WINDOWS\system32\llvffpdk.ini" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\lnudnqru.ini" not found!
Deletion of file "C:\WINDOWS\system32\lnudnqru.ini" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\lnudnqru.ini2" not found!
Deletion of file "C:\WINDOWS\system32\lnudnqru.ini2" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\mljaqrrh.dll" not found!
Deletion of file "C:\WINDOWS\system32\mljaqrrh.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\moxbrvyt.ini" not found!
Deletion of file "C:\WINDOWS\system32\moxbrvyt.ini" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\nbrstheu.ini" not found!
Deletion of file "C:\WINDOWS\system32\nbrstheu.ini" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\nnnomgwp.dll" not found!
Deletion of file "C:\WINDOWS\system32\nnnomgwp.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\phmvpyak.ini" not found!
Deletion of file "C:\WINDOWS\system32\phmvpyak.ini" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\pwgmonnn.ini" not found!
Deletion of file "C:\WINDOWS\system32\pwgmonnn.ini" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\pwgmonnn.ini2" not found!
Deletion of file "C:\WINDOWS\system32\pwgmonnn.ini2" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\rqjlverx.ini" not found!
Deletion of file "C:\WINDOWS\system32\rqjlverx.ini" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\scui.cpl" not found!
Deletion of file "C:\WINDOWS\system32\scui.cpl" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\ssbecgwy.ini" not found!
Deletion of file "C:\WINDOWS\system32\ssbecgwy.ini" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\tyvrbxom.dll" not found!
Deletion of file "C:\WINDOWS\system32\tyvrbxom.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\uclsccdd.ini" not found!
Deletion of file "C:\WINDOWS\system32\uclsccdd.ini" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\uclsccdd.ini2" not found!
Deletion of file "C:\WINDOWS\system32\uclsccdd.ini2" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\vmkinulg.ini" not found!
Deletion of file "C:\WINDOWS\system32\vmkinulg.ini" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\wekqycfe.ini" not found!
Deletion of file "C:\WINDOWS\system32\wekqycfe.ini" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\wekqycfe.ini2" not found!
Deletion of file "C:\WINDOWS\system32\wekqycfe.ini2" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\wgvyokot.ini" not found!
Deletion of file "C:\WINDOWS\system32\wgvyokot.ini" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\wgw.dll" not found!
Deletion of file "C:\WINDOWS\system32\wgw.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\xbemonmp.ini" not found!
Deletion of file "C:\WINDOWS\system32\xbemonmp.ini" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\xbemonmp.ini2" not found!
Deletion of file "C:\WINDOWS\system32\xbemonmp.ini2" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\xgoyffhk.ini" not found!
Deletion of file "C:\WINDOWS\system32\xgoyffhk.ini" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\xgoyffhk.ini2" not found!
Deletion of file "C:\WINDOWS\system32\xgoyffhk.ini2" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\xrevljqr.dll" not found!
Deletion of file "C:\WINDOWS\system32\xrevljqr.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\ywgcebss.dll" not found!
Deletion of file "C:\WINDOWS\system32\ywgcebss.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\tasks\{25c16776-d763-43b7-9b93-e61a6d715eb2}_mzb_fpeticca.job" not found!
Deletion of file "C:\WINDOWS\tasks\{25c16776-d763-43b7-9b93-e61a6d715eb2}_mzb_fpeticca.job" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\tasks\{41068522-6fbb-41c3-aaca-3fe827ac1fe9}_mzb_fpeticca.job" not found!
Deletion of file "C:\WINDOWS\tasks\{41068522-6fbb-41c3-aaca-3fe827ac1fe9}_mzb_fpeticca.job" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\tasks\{e83a39bc-58f5-45cd-8fb3-5c38f9591c02}_mzb_fpeticca.job" not found!
Deletion of file "C:\WINDOWS\tasks\{e83a39bc-58f5-45cd-8fb3-5c38f9591c02}_mzb_fpeticca.job" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\xmpstean.exe" not found!
Deletion of file "C:\WINDOWS\xmpstean.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "c:\documents and settings\all users\application data\microsoft\network\downloader\qmgr0.dat" deleted successfully.
File "c:\documents and settings\all users\application data\microsoft\network\downloader\qmgr1.dat" deleted successfully.

Error: folder "C:\Documents and Settings\All Users\application data\system doctor free" not found!
Deletion of folder "C:\Documents and Settings\All Users\application data\system doctor free" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: folder "C:\Documents and Settings\Jackie\Application Data\axpdefender" not found!
Deletion of folder "C:\Documents and Settings\Jackie\Application Data\axpdefender" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: folder "C:\Documents and Settings\Jackie\Application Data\system doctor free" not found!
Deletion of folder "C:\Documents and Settings\Jackie\Application Data\system doctor free" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: folder "C:\Documents and Settings\Jackie\Application Data\winifixer.com" not found!
Deletion of folder "C:\Documents and Settings\Jackie\Application Data\winifixer.com" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: folder "C:\Program Files\antispywaremaster" not found!
Deletion of folder "C:\Program Files\antispywaremaster" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.


OTScanIt fix log

Files moved on Reboot...
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat moved successfully.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat moved successfully.


F-Secure Scan Report

Scanning Report
Monday, June 02, 2008 08:36:46 - 09:50:41
Computer name: FPETICCALT02
Scanning type: Scan system for malware, rootkits
Target: C:\


--------------------------------------------------------------------------------

Result: 57 malware found
Rogue:W32/XPAntivirus.S (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP431\A0033280.CPL (Submitted)
Tracking Cookie (spyware)
System
Trojan-Downloader.Win32.Agent.ojm (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP431\A0033250.DLL (Renamed & Submitted)
Trojan-Downloader.Win32.ConHook.rr (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP431\A0033273.DLL (Renamed & Submitted)
Trojan-Downloader.Win32.Mutant.yf (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425\A0027573.DLL (Renamed & Submitted)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425\A0027589.DLL (Renamed & Submitted)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425\A0027602.DLL (Renamed & Submitted)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425\A0028603.DLL (Renamed & Submitted)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425\A0028611.DLL (Renamed & Submitted)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425\A0028623.DLL (Renamed & Submitted)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425\A0028633.DLL (Renamed & Submitted)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425\A0028668.DLL (Renamed & Submitted)
Trojan-Dropper.Win32.Agent.ror (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425\A0027578.SYS (Renamed & Submitted)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425\A0027594.SYS (Renamed & Submitted)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425\A0027607.SYS (Renamed & Submitted)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425\A0028608.SYS (Renamed & Submitted)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425\A0028615.SYS (Renamed & Submitted)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425\A0028630.SYS (Renamed & Submitted)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425\A0028638.SYS (Renamed & Submitted)
Trojan.Win32.Agent (virus)
System
Trojan.Win32.Agent.mtm (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP427\A0032941.EXE (Renamed & Submitted)
Trojan.Win32.Agent.muz (virus)
C:\PROGRAM FILES\USS\{D1957FF4-EA22-4B4A-81A1-C62068479DED}\AMPLUGIN.DLL (Renamed & Submitted)
Trojan.Win32.Patched (virus)
System
Trojan.Win32.Patched.aa (virus)
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM32\LSASS.EXE (Submitted)
C:\WINDOWS\SYSTEM32\SERVICES.EXE (Submitted)
C:\WINDOWS\SYSTEM32\SPOOLSV.EXE (Submitted)
C:\WINDOWS\SYSTEM32\WINLOGON.EXE (Submitted)
Trojan.Win32.Vapsup.fho (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425\A0029749.DLL (Renamed & Submitted)
Trojan.Win32.Vapsup.fhp (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425\A0029753.DLL (Renamed & Submitted)
Trojan.Win32.Vapsup.fhq (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425\A0029752.EXE (Renamed & Submitted)
Trojan.Win32.Vapsup.fhr (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425\A0029747.DLL (Renamed & Submitted)
Trojan.Win32.Vapsup.fhs (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425\A0029754.DLL (Renamed & Submitted)
Trojan.Win32.Vapsup.fht (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP431\A0033256.EXE (Renamed & Submitted)
Trojan.Win32.Vapsup.fja (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425\A0028642.DLL (Renamed & Submitted)
Trojan.Win32.Vapsup.fjr (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP427\A0031898.DLL (Renamed & Submitted)
Trojan.Win32.Vapsup.fki (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP431\A0033254.EXE (Renamed & Submitted)
Trojan.Win32.Vapsup.fkj (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP427\A0031897.EXE (Renamed & Submitted)
Trojan.Win32.Vapsup.fkk (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP426\A0030755.DLL (Renamed & Submitted)
Trojan.Win32.Vapsup.fkl (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425\A0029751.DLL (Renamed & Submitted)
Trojan.Win32.Vapsup.fnv (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP431\A0033262.DLL (Renamed & Submitted)
Trojan.Win32.Vapsup.fry (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425\A0028643.EXE (Renamed & Submitted)
Trojan.Win32.Vapsup.fsz (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP427\A0032940.DLL (Renamed & Submitted)
Trojan.Win32.Vapsup.fuk (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP427\A0032939.DLL (Renamed & Submitted)
Trojan.Win32.Vapsup.fyq (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP427\A0032938.DLL (Renamed & Submitted)
Trojan.Win32.Vapsup.gan (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP431\A0033255.EXE (Renamed & Submitted)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP431\A0033289.EXE (Renamed & Submitted)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP427\A0032935.DLL (Renamed & Submitted)
Vundo.gen148 (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP431\A0033276.DLL (Submitted)
Vundo.gen38 (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP431\A0033260.INI (Submitted)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP431\A0033274.INI (Submitted)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP431\A0033279.INI (Submitted)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP431\A0033284.INI (Submitted)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP427\A0031912.INI (Submitted)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP427\A0031919.INI (Submitted)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP427\A0032919.INI (Submitted)
W32/Horst.gen33 (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425\A0030747.EXE (Submitted)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 32449
System: 4035
Not scanned: 7
Actions:
Disinfected: 0
Renamed: 39
Deleted: 0
None: 18
Submitted: 53
Files not scanned:
C:\HIBERFIL.SYS
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure USS: 2.30.0
F-Secure Hydra: 2.8.8110, 2008-06-02
F-Secure AVP: 7.0.171, 2008-06-02
F-Secure Pegasus: 1.20.0, 2008-04-14
F-Secure Blacklight: 1.0.68
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Use Advanced heuristics

--------------------------------------------------------------------------------

Copyright © 1998-2007 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.


Kaspersky Online Scan

KASPERSKY ONLINE SCANNER REPORT
Monday, June 02, 2008 10:50:56
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 2/06/2008
Kaspersky Anti-Virus database records: 821940


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\

Scan Statistics
Total number of scanned objects 43776
Number of viruses found 42
Number of infected objects 72
Number of suspicious objects 0
Duration of the scan process 00:50:37

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\Jackie\.jpi_cache\jar\1.0\ms0311.jar-420a3704-5a3ddd08.zip/TakePrivileges.class Infected: Trojan-Downloader.Java.OpenConnection.ak skipped

C:\Documents and Settings\Jackie\.jpi_cache\jar\1.0\ms0311.jar-420a3704-5a3ddd08.zip/SuperMSClassLoader.class Infected: Trojan.Java.ClassLoader.aq skipped

C:\Documents and Settings\Jackie\.jpi_cache\jar\1.0\ms0311.jar-420a3704-5a3ddd08.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.ak skipped

C:\Documents and Settings\Jackie\.jpi_cache\jar\1.0\ms0311.jar-420a3704-5a3ddd08.zip ZIP: infected - 3 skipped

C:\Documents and Settings\Jackie\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Jackie\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped

C:\Documents and Settings\Jackie\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Jackie\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Jackie\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Jackie\Local Settings\History\History.IE5\MSHist012008060220080603\index.dat Object is locked skipped

C:\Documents and Settings\Jackie\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped

C:\Documents and Settings\Jackie\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Jackie\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Jackie\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\rawlog.log Object is locked skipped

C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\seclog.log Object is locked skipped

C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\syslog.log Object is locked skipped

C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\tralog.log Object is locked skipped

C:\Program Files\USS\{D1957FF4-EA22-4b4a-81A1-C62068479DED}\AMPLUGIN.0LL Infected: Trojan.Win32.Agent.muz skipped

C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425\A0027573.0LL Infected: Trojan-Downloader.Win32.Mutant.yf skipped

C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425\A0027578.0YS Infected: Trojan-Dropper.Win32.Agent.ror skipped

C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425\A0027589.0LL Infected: Trojan-Downloader.Win32.Mutant.yf skipped

C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425\A0027594.0YS Infected: Trojan-Dropper.Win32.Agent.ror skipped

C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425\A0027602.0LL Infected: Trojan-Downloader.Win32.Mutant.yf skipped

C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425\A0027607.0YS Infected: Trojan-Dropper.Win32.Agent.ror skipped

C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425\A0027614.exe Infected: not-a-virus:FraudTool.Win32.AdvancedXPFixer.a skipped

C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425\A0027639.exe Infected: not-a-virus:Downloader.Win32.WinFixer.hs skipped

C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425\A0027641.exe Infected: not-a-virus:Downloader.Win32.WinFixer.hl skipped

C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425\A0027656.exe Infected: not-a-virus:FraudTool.Win32.AntiSpywareExpert.h skipped

C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425\A0028602.exe Infected: not-a-virus:Downloader.Win32.WinFixer.x skipped

C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425\A0028603.0LL Infected: Trojan-Downloader.Win32.Mutant.yf skipped

C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425\A0028608.0YS Infected: Trojan-Dropper.Win32.Agent.ror skipped

C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425\A0028611.0LL Infected: Trojan-Downloader.Win32.Mutant.yf skipped

C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425\A0028615.0YS Infected: Trojan-Dropper.Win32.Agent.ror skipped

C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425\A0028623.0LL Infected: Trojan-Downloader.Win32.Mutant.yf skipped

C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425\A0028625.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ttb skipped

C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425\A0028630.0YS Infected: Trojan-Dropper.Win32.Agent.ror skipped

C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425\A0028633.0LL Infected: Trojan-Downloader.Win32.Mutant.yf skipped

C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425\A0028638.0YS Infected: Trojan-Dropper.Win32.Agent.ror skipped

C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425\A0028642.0LL Infected: Trojan.Win32.Vapsup.fja skipped

C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425\A0028643.0XE Infected: Trojan.Win32.Vapsup.fry skipped

C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425\A0028668.0LL Infected: Trojan-Downloader.Win32.Mutant.yf skipped

C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425\A0028690.exe Infected: not-a-virus:FraudTool.Win32.VirusIsolator.g skipped

C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425\A0028708.exe Infected: not-a-virus:FraudTool.Win32.VirusIsolator.j skipped

C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425\A0028728.exe Infected: not-a-virus:FraudTool.Win32.VirusIsolator.j skipped

C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425\A0029747.0LL Infected: Trojan.Win32.Vapsup.fhr skipped

C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425\A0029749.0LL Infected: Trojan.Win32.Vapsup.fho skipped

C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425\A0029751.0LL Infected: Trojan.Win32.Vapsup.fkl skipped

C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425\A0029752.0XE Infected: Trojan.Win32.Vapsup.fhq skipped

C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425\A0029753.0LL Infected: Trojan.Win32.Vapsup.fhp skipped

C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425\A0029754.0LL Infected: Trojan.Win32.Vapsup.fhs skipped

C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP426\A0030752.exe Infected: not-a-virus:FraudTool.Win32.WinSpywareProtect.b skipped

C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP426\A0030755.0LL Infected: Trojan.Win32.Vapsup.fkk skipped

C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP426\A0030759.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ttb skipped

C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP427\A0031897.0XE Infected: Trojan.Win32.Vapsup.fkj skipped

C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP427\A0031898.0LL Infected: Trojan.Win32.Vapsup.fjr skipped

C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP427\A0032935.0LL Infected: Trojan.Win32.Vapsup.gan skipped

C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP427\A0032938.0LL Infected: Trojan.Win32.Vapsup.fyq skipped

C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP427\A0032939.0LL Infected: Trojan.Win32.Vapsup.fuk skipped

C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP427\A0032940.0LL Infected: Trojan.Win32.Vapsup.fsz skipped

C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP427\A0032941.0XE Infected: Trojan.Win32.Agent.mtm skipped

C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP427\A0032967.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP428\A0033098.exe/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP428\A0033098.exe RAR: infected - 1 skipped

C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP428\A0033166.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP428\A0033167.exe/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP428\A0033167.exe RAR: infected - 1 skipped

C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP431\A0033250.0LL Infected: Trojan-Downloader.Win32.Agent.ojm skipped

C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP431\A0033251.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.vlu skipped

C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP431\A0033254.0XE Infected: Trojan.Win32.Vapsup.fki skipped

C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP431\A0033255.0XE Infected: Trojan.Win32.Vapsup.gan skipped

C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP431\A0033256.0XE Infected: Trojan.Win32.Vapsup.fht skipped

C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP431\A0033258.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.tfx skipped

C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP431\A0033262.0LL Infected: Trojan.Win32.Vapsup.fnv skipped

C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP431\A0033268.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.vgt skipped

C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP431\A0033273.0LL Infected: Trojan-Downloader.Win32.ConHook.rr skipped

C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP431\A0033280.cpl Infected: not-a-virus:FraudTool.Win32.XPAntivirus.ho skipped

C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP431\A0033289.0XE Infected: Trojan.Win32.Vapsup.gan skipped

C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP431\A0033290.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.vgt skipped

C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP431\A0033291.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.voi skipped

C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP431\A0033328.exe Infected: Trojan.Win32.Patched.aa skipped

C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP431\A0033330.dll Infected: Trojan.Win32.Agent.muz skipped

C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP431\change.log Object is locked skipped

C:\WINDOWS\CSC\00000001 Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\DEFAULT Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SYSTEM Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\lsass.exe Infected: Trojan.Win32.Patched.aa skipped

C:\WINDOWS\system32\pavjob.log Object is locked skipped

C:\WINDOWS\system32\services.exe Infected: Trojan.Win32.Patched.aa skipped

C:\WINDOWS\system32\spoolsv.exe Infected: Trojan.Win32.Patched.aa skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\system32\winlogon.exe Infected: Trojan.Win32.Patched.aa skipped

Scan process completed.

#6 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:04:50 PM

Posted 02 June 2008 - 11:43 AM

Hi jso113. It looks like some of the operating system files are infected. Let's use DrWeb to see if it can repair them:

Step #1

Download Dr.Web CureIt
  • Doubleclick the drweb-cureit.exe file and then Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, Click Options and Change settings
  • Choose the Scan tab and remove the mark at Heuristic analysis.
  • Back at the main window, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click Yes to all if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image

    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click File and choose Save Report List
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.
Step #2

Run a new OTScanIt scan with the following options:

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • In the Drivers section click on Non-Microsoft.
  • Under Additional Scans click the checkboxes in front of the following items to select them:
    • Reg - BotCheck
      File - Additional Folder Scans
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  • Save the file to your desktop or other location where you can find it back.
Use the Add Reply button and attach the file in your next post (do not try to copy/paste it into the post).

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#7 jso113

jso113
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:50 PM

Posted 02 June 2008 - 01:37 PM

OldTimer,

Here is the result of the Dr. Web scan. I still can't attach the OTScanIt.txt because my attachment space is already used up. I don't know how to remove the last attachment so that I can attach the new one!

Dr. Web

lsass.exe;c:\windows\system32;Trojan.Starter.384;Cured.;
services.exe;c:\windows\system32;Trojan.Starter.384;Cured.;
spoolsv.exe;c:\windows\system32;Trojan.Starter.384;Cured.;
winlogon.exe;c:\windows\system32;Trojan.Starter.384;Cured.;
RegUBP2b-Jackie.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2;Trojan.StartPage.1505;Deleted.;
A0027573.0LL;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425;Trojan.DownLoader.61474;Deleted.;
A0027578.0YS;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425;BackDoor.Bulknet.195;Deleted.;
A0027589.0LL;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425;Trojan.DownLoader.61474;Deleted.;
A0027594.0YS;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425;BackDoor.Bulknet.195;Deleted.;
A0027602.0LL;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425;Trojan.DownLoader.61474;Deleted.;
A0027607.0YS;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425;BackDoor.Bulknet.195;Deleted.;
A0027614.exe;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425;Trojan.Fakealert.676;Deleted.;
A0028602.exe;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425;Trojan.DownLoader.32655;Deleted.;
A0028603.0LL;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425;Trojan.DownLoader.61474;Deleted.;
A0028608.0YS;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425;BackDoor.Bulknet.195;Deleted.;
A0028611.0LL;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425;Trojan.DownLoader.61474;Deleted.;
A0028615.0YS;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425;BackDoor.Bulknet.195;Deleted.;
A0028623.0LL;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425;Trojan.DownLoader.61474;Deleted.;
A0028630.0YS;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425;BackDoor.Bulknet.195;Deleted.;
A0028633.0LL;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425;Trojan.DownLoader.61474;Deleted.;
A0028638.0YS;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425;BackDoor.Bulknet.195;Deleted.;
A0028641.dll;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425;Trojan.Popuper.6066;Deleted.;
A0028642.0LL;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425;Trojan.Popuper.6063;Deleted.;
A0028643.0XE;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425;Trojan.Popuper.6067;Deleted.;
A0028668.0LL;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425;Trojan.DownLoader.61474;Deleted.;
A0029747.0LL;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425;Trojan.Popuper.6004;Deleted.;
A0029748.dll;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425;Trojan.Popuper.5998;Deleted.;
A0029749.0LL;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425;Trojan.Popuper.6004;Deleted.;
A0029750.dll;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425;Trojan.Popuper.6066;Deleted.;
A0029752.0XE;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425;Trojan.Popuper.6004;Deleted.;
A0029753.0LL;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425;Trojan.Popuper.6004;Deleted.;
A0029754.0LL;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP425;Trojan.Popuper.6004;Deleted.;
A0032935.0LL;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP427;Trojan.Popuper.6145;Deleted.;
A0032937.dll;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP427;Trojan.Popuper.5994;Deleted.;
A0032938.0LL;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP427;Trojan.Popuper.6128;Deleted.;
A0032941.0XE;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP427;Trojan.Fakealert.569;Deleted.;
A0033103.exe;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP428;BackDoor.IRC.Chazz.38;Deleted.;
A0033106.exe;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP428;BackDoor.IRC.Chazz.38;Deleted.;
A0033108.exe;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP428;BackDoor.IRC.Chazz.38;Deleted.;
A0033110.exe;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP428;Tool.Prockill;Deleted.;
A0033111.exe;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP428;Tool.ShutDown.11;Deleted.;
A0033147.reg;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP428;Trojan.StartPage.1505;Deleted.;
A0033151.dll;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP428;Trojan.Virtumod.412;Deleted.;
A0033157.reg;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP428;Trojan.StartPage.1505;Deleted.;
A0033169.exe;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP428;BackDoor.IRC.Chazz.38;Deleted.;
A0033172.exe;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP428;BackDoor.IRC.Chazz.38;Deleted.;
A0033174.exe;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP428;BackDoor.IRC.Chazz.38;Deleted.;
A0033176.exe;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP428;Tool.Prockill;Deleted.;
A0033177.exe;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP428;Tool.ShutDown.11;Deleted.;
A0033231.reg;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP431;Trojan.StartPage.1505;Deleted.;
A0033250.0LL;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP431;Trojan.Proxy.origin;Incurable.Moved.;
A0033251.dll;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP431;Trojan.DownLoader.62656;Deleted.;
A0033254.0XE;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP431;Trojan.Popuper.5992;Deleted.;
A0033255.0XE;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP431;Trojan.Popuper.6130;Deleted.;
A0033256.0XE;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP431;Trojan.Popuper.6004;Deleted.;
A0033257.exe;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP431;Trojan.Popuper.5992;Deleted.;
A0033259.exe;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP431;Trojan.Popuper.6063;Deleted.;
A0033267.dll;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP431;Trojan.Virtumod.412;Deleted.;
A0033291.dll;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP431;Trojan.Virtumod.412;Deleted.;
A0033328.exe;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP431;Trojan.Starter.384;Cured.;
A0033339.exe;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP431;Trojan.Starter.384;Cured.;
A0033340.exe;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP431;Trojan.Starter.384;Cured.;
A0033341.exe;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP431;Trojan.Starter.384;Cured.;
A0033342.exe;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP431;Trojan.Starter.384;Cured.;
A0033343.reg;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP431;Trojan.StartPage.1505;Deleted.;

#8 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:04:50 PM

Posted 02 June 2008 - 01:55 PM

Hi jso113. DrWeb took care of those. Send me the OTScanIt log here: here.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#9 jso113

jso113
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:50 PM

Posted 02 June 2008 - 02:08 PM

OldTimer,

I just used the Submit Malware Sample to send it to you. Hopefully we're nearing the end of the infection!

jso113

#10 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:04:50 PM

Posted 02 June 2008 - 03:20 PM

Hi jso113. That looks pretty good too. Just 1 straggler to take care of.

Start OTScanIt. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Registry - Non-Microsoft Only]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {F4091D7B-B281-4325-8C11-7D70C81EE162} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\nnnoMGWp.dll [Reg Error: Value  does not exist or could not be read.]

The fix should only take a very short time. When the fix is completed either a message box will popup telling you that it is finished.

Close OTScanIt.

Go ahead and run the system normally for a couple of days and then get back with me and let me know if there are any continuing issues. If everything is Ok at that time, then we have some final cleanup to do and you'll be good to go.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#11 jso113

jso113
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:50 PM

Posted 02 June 2008 - 05:57 PM

OldTimer,

You are the man. System is running nice and smooth now. I was able to enable Automatic Updates and am downloading and installing them to the machine as I type. Thank you so much for your help. I'll get back to you in a few days to let you know if everything is clean so we can perform a cleanup.

Thanks again,
jso113




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users